Date: Tue, 27 Jun 2000 10:23:39 -0700 From: Ron 'The InSaNe One' Rosson <insane@lunatic.oneinsane.net> To: Paul Hart <hart@iserver.com> Cc: Salvo Bartolotta <bartequi@inwind.it>, freebsd-security@FreeBSD.ORG Subject: Re: icmp type 3 code 4: a couple of questions Message-ID: <20000627102339.B861@lunatic.oneinsane.net> In-Reply-To: <Pine.BSF.4.21.0006271057330.29364-100000@anchovy.orem.iserver.com>; from hart@iserver.com on Tue, Jun 27, 2000 at 11:07:00AM -0600 References: <20000627.17395900@bartequi.ottodomain.org> <Pine.BSF.4.21.0006271057330.29364-100000@anchovy.orem.iserver.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 27 Jun 2000, Paul Hart was heard blurting out: > On Tue, 27 Jun 2000, Salvo Bartolotta wrote: > > > Well, actually, my homebox will behave, as it were, like a Klingon > > spaceship: for example, it will normally deny **all** icmptypes except > > type 3 code 4 (DF). When I need to ping, traceroute, etc., I will > > *temporarily* remove some restrictions. > > If you are using IP Filter, why not let it do the work for you? > > It is very easy to set up a "cloaked" firewall machine like you describe > with IP Filter. In this situation, you can easily block all incoming > ICMP/UDP/TCP packets as a general rule and rely entirely on IP Filter > setting state rules for connections, traceroutes, or pings that were > initiated from behind the firewall. That will let traceroute and ping > automatically work from behind the firewall out to hosts outside the > firewall, but you are otherwise 100% invisible to any other host on the > Internet. > > Paul Hart > I would love to see your rule set that accomplishes this on a gateway firewall. (No NAT) TIA -- ------------------------------------------------------------------------------ Ron Rosson ... and a UNIX user said ... The InSaNe One rm -rf * insane@oneinsane.net and all was /dev/null and *void() ------------------------------------------------------------------------------ Instant sex will never be better than the kind you have to peel and cook. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000627102339.B861>